AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Runtime networking is package-aligned for configured LLM, transcription, and explicitly configured connector/tool services.
Decision evidence
public snapshot- `package.json` has no preinstall/install/postinstall hooks.
- `dist/cli/index.js` only spawns its packaged Node gateway after explicit CLI commands.
- `dist/llm/ocr-registry.js` uses configured provider settings; no dynamic code loading occurs.
- `dist/connectors/executor.js` restricts connectors to validated HTTPS allowlists and blocks redirects/private hosts.
- No eval, vm, native-module loader, or foreign AI-agent config paths found in inspected `dist` files.
- Writes target package runtime config, local `.env`, auth, data, and backups under the working directory.
Source & flagged code
4 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/llm/ocr-registry.jsView on unpkg · L99Package source references weak cryptographic algorithms.
dist/message-dedupe/engine.jsView on unpkg · L178Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/agent-tools/agent-tool-router.jsView on unpkg